A.15 Supplier relationships

A.15 Supplier relationships

Version: 3.0

Valid until: 2025-04-12

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-06-24

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to A.15 supplier relationships from B12 Management of suppliers.

2022-12-23

2.0Edward RobinsonAdditions/changes as part of the annual review.

Added the monthly scheduled meeting to keep the supplier list up-to-date and the ticket under Administrations.

Added frequency of supplier reviews.
2023-06-01
3.0
Edward Robinson
Additions/changes as part of the annual review.

Fixed broken links under Administrations.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the supplier relationships policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objectives of this control are:


  • To ensure protection of the organisation’s assets that are accessible by suppliers (A.15.1).

  • To maintain an agreed level of information security and service delivery in line with supplier agreements. (A.15.2).

Scope

The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.15.1 Information security in supplier relationships

A.15.1.1 Information security policy for supplier relationships


“Information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets shall be agreed with the supplier and documented.”


Principles:

  • anDREa has established a list (Types of suppliers). Per category, minimum requirements are posed;  

  • anDREa maintains a list of suppliers and has identified critical suppliers for processes within anDREa;

  • anDREa maintains a directory for suppliers which include (but is not limited to) supplier agreements, data processing agreements, NDAs and relevant certificates/reports;

  • The suppliers list and directory for suppliers are kept up-to-date through scheduled monthly meetings between the Security Officer and Business Manager. Updates are tracked in a ticket;

  • The type of information that the supplier/application has access to is classified as sensitive or non-sensitive;

  • Access to anDREa’s assets is registered per individual in anDREa People in accordance with A.8 Asset management and A.9 Access control;

  • Suppliers are periodically reviewed and the outcome is tracked in a ticket. There will be a ticket per supplier;

  • Critical suppliers (exceptions under A.15.2.1) are at least annually reviewed and the outcome is tracked in a ticket. There will be a ticket per supplier;

  • Suppliers are reviewed based on the presence and content of the general information security requirements as defined in Types of suppliers and, if applicable, supplier-specific (additional) requirements;

  • If applicable (such as for the hiring of external employees), anDREa will provide an information security awareness training;

  • Suppliers are obliged to report (suspected) information security incidents when working in anDREa systems in accordance with A.16 Information security incident management.


A.15.1.2 Addressing security within supplier agreements


“All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information.”


Principles:

The following terms are considered for inclusion in the agreements in order to satisfy the identified information security requirements, depending on the supplier:


  • A description of the information to be provided or accessed and methods of providing or accessing the information.

  • The classification of information in accordance with A.8.2 Information classification.

  • The legal and regulatory requirements, including data protection, intellectual property rights and copyright, confidentiality and a description of how it will be ensured that they are met;

  • The information security policies relevant to the specific contract, such as access control, incident management procedures and other relevant procedures.

  • Notification in case of an information security incident or significant changes in information security policies.

  • Either an explicit list of supplier personnel authorized to access or receive the organization’s information or procedures or conditions for authorization and removal of the authorization

  • Contact person information for information security related questions and procedures;

  • The relevant regulations for sub-contracting, including the controls that need to be implemented;

  • The right to audit the supplier processes and controls related to the agreement.


Termination of supplier agreement


There may be various reasons for terminating an agreement with a supplier or major revisions in the agreement itself might be needed. Terms and requirements for termination of a supplier agreement are described in the supplier agreement itself. 


The following topics must be taken into consideration:

  • In case of a critical supplier, a security impact assessment might be necessary.

  • Offboarding of a supplier:

    • If applicable, removing access rights.

    • Ensure that the information that was provided to the supplier has been deleted. For this, confirmation of deletion must be provided by the supplier.

    • Informing employees/partners/customers that the supplier relationship has ended.


All of the above are registered in a ticket by the Security Officer.


Exceptions


There are two exception cases where it might be difficult to follow the above guidelines:

  • anDREa has agreements that have already been concluded before this policy came into effect, therefore it might be difficult to impose additional requirements.

    • Enter in a conversation with the supplier.

    • If the supplier is not willing to cooperate, a risk assessment will be performed and it can be decided to switch to a different supplier.

  • anDREa has an agreement with a large supplier (often suppliers of applications that are used worldwide, such as Microsoft). These suppliers use standard agreements that they do not deviate from.

    • Review the standard agreements and determine if any requirements are missing.

    • Perform a security impact assessment, based on the results it can be decided to switch to a different supplier.


A.15.1.3 Information and communication technology supply chain


“Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain.”


anDREa has established supplier agreements in which the technology services and product supply chain requirements are detailed. An example is the Microsoft Data Protection Agreement

anDREa recognizes its size compared to some of the very large providers that it will sometimes be working with (e.g. data centers & hosting services, banks etc), therefore potentially limiting its ability to influence practices further into the supply chain.


A.15.2 Supplier service delivery management

A.15.2.1 Monitoring and review of supplier services


“Organisations shall regularly monitor, review and audit supplier service delivery.”

Monitoring and review of supplier services ensure that the information security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly (in accordance with A.16 Information security incident management). 


anDREa will:


  • Monitor service performance levels to verify adherence to the agreements (example: Microsoft Azure service level agreement);

  • Review critical suppliers or when significant changes occur.

    • Small or unknown parties in the ecosystem: annually

    • Large or known companies: every 3 year.

  • Stay up-to-date on information security incidents regarding the supplier. anDREa will require the supplier to promptly notify regarding information security incidents.

  • If applicable, conduct audits of suppliers, in conjunction with the review of independent auditor’s reports, if available, and follow-up on issues identified.

  • Resolve and manage any identified problems.

  • Require suppliers to have a conflict resolution process that can be invoked if requirements are not met.


A.15.2.2 Managing changes to supplier services


“Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.”


Principles:

The following aspects are being taken into consideration:


  • Changes to supplier agreements;

  • Changes in supplier services to implement:

    • Changes and enhancement to networks;

    • Use of new technologies;

    • Adoption of new products or newer versions/releases;

    • New development tools and environments;

    • Changes to the physical location of service facilities;

    • Change of suppliers;

    • Sub-contracting to another supplier.

  • Changes made by the organization to implement:

    • Enhancements to the current services offered;

    • Development of any new applications and systems;

    • Modifications or updates of the organization’s policies and procedures;

    • New or changed controls to resolve information security incidents and to improve security.


All of the above will be registered in tickets.

Administrations


    • Related Articles

    • 20230503 - Internal audit management summary

      Internal ISO 27001 audits are a crucial part of the Information Security Management System (ISMS) implementation process. These audits are conducted by an organization's own internal auditors or a team of trained individuals to assess the ...
    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...
    • A.12.1.2 Change management

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Johanna Hakonen Initiation document 2022-07-07 1.1 Edward Robinson ...
    • Clause 8 Operation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...
    • 20230501 CTO Report

      Below you can download the 2023-05-01 CTO-report